<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=18" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <link rel="canonical" href="https://twitter.com/billyleonard/status/1458531997576572929" />
    <title>billy leonard (@billyleonard): &quot;Nice writeup on APT31. One thing to note, the malware referred to as Rekoobe that was used by APT31 is an older, open source tool, Tiny SHell or tsh. This has been used by multiple actors since at least 2012, across platforms.

https:&#x2F;&#x2F;github.com&#x2F;creaktive&#x2F;tsh
https:&#x2F;&#x2F;packetstormsecurity.com&#x2F;files&#x2F;31650&#x2F;tsh-0.6.tgz.html&quot;|nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="theme-color" content="#1F1F1F" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="billy leonard (@billyleonard)" />
    <meta property="og:description" content="Nice writeup on APT31. One thing to note, the malware referred to as Rekoobe that was used by APT31 is an older, open source tool, Tiny SHell or tsh. This has been used by multiple actors since at least 2012, across platforms.

https://github.com/creaktive/tsh
https://packetstormsecurity.com/files/31650/tsh-0.6.tgz.html" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/card_img%2F1557781122834206725%2F0uKyWKBb%3Fformat%3Djpg%26name%3D600x600%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/card_img%2F1557781122834206725%2F0uKyWKBb%3Fformat%3Djpg%26name%3D600x600" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/card_img%2F1557781122834206725%2F0uKyWKBb%3Fformat%3Djpg%26name%3D600x600" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" alt="Logo" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/billyleonard/status/1458531997576572929"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <div class="icon-container"><a class="icon-cog" title="Preferences" href="/settings?referer=%2Fbillyleonard%2Fstatus%2F1458531997576572929%23m"></a></div>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread"><div id="m" class="main-tweet"><div class="timeline-item "><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/billyleonard"><img class="avatar round" src="/pic/profile_images%2F336754759%2Fshaka_black_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/billyleonard" title="billy leonard">billy leonard</a>
                        <a class="username" href="/billyleonard" title="@billyleonard">@billyleonard</a>
                      </div>
                      <span class="tweet-date"><a href="/billyleonard/status/1458531997576572929#m" title="Nov 10, 2021 · 8:28 PM UTC">10 Nov 2021</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Nice writeup on APT31. One thing to note, the malware referred to as Rekoobe that was used by APT31 is an older, open source tool, Tiny SHell or tsh. This has been used by multiple actors since at least 2012, across platforms.

<a href="https://github.com/creaktive/tsh">github.com/creaktive/tsh</a>
<a href="https://packetstormsecurity.com/files/31650/tsh-0.6.tgz.html">packetstormsecurity.com/file…</a></div>
                <div class="card large"><a class="card-container" href="https://github.com/creaktive/tsh">
                    <div class="card-image-container"><div class="card-image"><img src="/pic/card_img%2F1557781122834206725%2F0uKyWKBb%3Fformat%3Djpg%26name%3D600x600" alt="" /></div></div>
                    <div class="card-content-container"><div class="card-content">
                        <h2 class="card-title">GitHub - creaktive&#x2F;tsh: Tiny SHell - An open-source UNIX backdoor (I&#x27;m not the author!)</h2>
                        <p class="card-description">Tiny SHell - An open-source UNIX backdoor (I&#x27;m not the author!) - GitHub - creaktive&#x2F;tsh: Tiny SHell - An open-source UNIX backdoor (I&#x27;m not the author!)</p>
                        <span class="card-destination">github.com</span>
                      </div></div>
                  </a></div>
                <div class="quote quote-big">
                  <a class="quote-link" href="/sekoia_io/status/1458352941769838595#m"></a>
                  <div class="tweet-name-row">
                    <div class="fullname-and-username">
                      <img class="avatar round mini" src="/pic/profile_images%2F1405138957042552832%2FxUengnph_mini.jpg" />
                      <a class="fullname" href="/sekoia_io" title="SEKOIA.IO">SEKOIA.IO</a>
                      <a class="username" href="/sekoia_io" title="@sekoia_io">@sekoia_io</a>
                    </div>
                    <span class="tweet-date"><a href="/sekoia_io/status/1458352941769838595#m" title="Nov 10, 2021 · 8:36 AM UTC">10 Nov 2021</a></span>
                  </div>
                  <div class="quote-text" dir="auto"><a href="/search?q=%23APT31">#APT31</a>, <a href="/search?q=%23Zirconium">#Zirconium</a>, <a href="/search?q=%23JudgmentPanda">#JudgmentPanda</a>... whatever its name, <a href="http://SEKOIA.IO">SEKOIA.IO</a>'s <a href="/search?q=%23CTI">#CTI</a> team had an in-depth look at this 🇨🇳intrusion set.
🧐Discover our latest research findings on the infrastructure and implants used by APT31: <a href="https://bit.ly/3wBiqfl">bit.ly/3wBiqfl</a>
<a href="/search?q=%23ThreatIntel">#ThreatIntel</a> <a href="/search?q=%23CyberSecurity">#CyberSecurity</a></div>
                </div>
                <p class="tweet-published">Nov 10, 2021 · 8:28 PM UTC · Twitter Web App</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 11</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 71</div></span>
                </div>
              </div></div></div></div>
        <div id="r" class="replies">
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/wxs/status/1458534571885088768#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/wxs"><img class="avatar round" src="/pic/profile_images%2F1490773624273440768%2FIWTo9VY9_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/wxs" title="Wesley Shields">Wesley Shields</a>
                        <a class="username" href="/wxs" title="@wxs">@wxs</a>
                      </div>
                      <span class="tweet-date"><a href="/wxs/status/1458534571885088768#m" title="Nov 10, 2021 · 8:38 PM UTC">10 Nov 2021</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/billyleonard">@billyleonard</a></div>
                <div class="tweet-content media-body" dir="auto">You do realize quote tweeting something with emojis in the tweet does not count to your thought leadering quota. I expect more emojis out of you, Billy.</div>
                <div class="attachments media-gif"><div class="gallery-gif" style="max-height: unset; "><div class="attachment"><video class="gif" poster="/pic/tweet_video_thumb%2FFD3Bdc7WYAUwbOk.jpg%3Fname%3Dsmall" controls="" autoplay="" muted="" loop=""><source src="/pic/video.twimg.com%2Ftweet_video%2FFD3Bdc7WYAUwbOk.mp4" type="video/mp4" /></video></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 3</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-play" title=""></span> GIF</div></span>
                </div>
              </div>
            </div></div>
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/felixaime/status/1458549095874895874#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/felixaime"><img class="avatar round" src="/pic/profile_images%2F1415360233443053574%2FbV3mZ_w1_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/felixaime" title="Félix Aimé">Félix Aimé</a>
                        <a class="username" href="/felixaime" title="@felixaime">@felixaime</a>
                      </div>
                      <span class="tweet-date"><a href="/felixaime/status/1458549095874895874#m" title="Nov 10, 2021 · 9:36 PM UTC">10 Nov 2021</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/billyleonard">@billyleonard</a></div>
                <div class="tweet-content media-body" dir="auto">Thx for the clarification and sure it is :) We will update the blogpost !</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFD3OnaCXoAQwUYf.jpg" target="_blank"><img src="/pic/media%2FFD3OnaCXoAQwUYf.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 5</div></span>
                </div>
              </div>
            </div></div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>